# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ config, depot, pkgs, ... }:
let
  inherit (depot.ops) secrets;
in {
  imports = [
    ../lib/bvm.nix
  ];

  # Networking!
  networking = {
    hostName = "bvm-radius";
    hostId = "dcc75f10";

    interfaces.enp1s0 = {
      ipv4.addresses = [{ address = "10.100.0.207"; prefixLength = 23; }];
    };
    interfaces.enp2s0 = {
      ipv4.addresses = [{ address = "92.118.28.9"; prefixLength = 24; }];
      ipv6.addresses = [{ address = "2a09:a441::9"; prefixLength = 32; }];
    };
    defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; };
    defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; };

    firewall = {
      extraCommands = ''
        # Allow JANET inbound RADIUS traffic.
        ip46tables -A nixos-fw -p udp --dport 1812 --src roaming0.ja.net -j nixos-fw-accept
        ip46tables -A nixos-fw -p udp --dport 1812 --src roaming1.ja.net -j nixos-fw-accept
        ip46tables -A nixos-fw -p udp --dport 1812 --src roaming2.ja.net -j nixos-fw-accept

        # Allow inbound RADIUS from authenticators.
        ip6tables -A nixos-fw -p udp --dport 1812 --src 2a09:a443::/64 -j nixos-fw-accept
        iptables -A nixos-fw -p udp --dport 1812 --src 92.118.30.0/24 -j nixos-fw-accept
      '';
    };
  };
  my.ip.tailscale = "100.120.98.116";

  environment.systemPackages = with pkgs; [
    freeradius
  ];

  system.stateVersion = "21.05";
}